Data security has become more critical than ever in today’s rapidly advancing digital landscape. Organizations must adapt adequate security and privacy standards to protect their users, data, and reputation. This is especially true for platforms like Drupal, which powers countless public facing websites across various industries. Cybersecurity and privacy regulations have been introduced and revisited to coordinate our response to these challenges sooner than the age of AI would have come.
The evolution of Drupal as an API-first platform
Since the release of Drupal 8, the platform has transformed from a traditional CMS to an API-first framework, meeting the demands of modern web development. JSON:API module's integration into Drupal 8.7.0 was a milestone that made it possible to access and interact with content in Drupal through standardized APIs. This made Drupal an ideal choice for decoupled and hybrid applications, combining it with modern frontend JavaScript frameworks, becoming a backend for Internet of Things (IoT), and beyond.
This API-first approach meets the needs of modern applications but also opens up new challenges in security and data privacy, especially given the rise of artificial intelligence. As more systems connect through APIs, they become potential entry points for malicious activity, underlining the importance of robust security measures.
Drupal's pioneering role in security
Drupal has consistently led the way in security within the open-source CMS landscape, thanks to its dedicated security team and community-driven development model. Security practices in Drupal are guided by well-defined policies and security vulnerabilities are addressed in a controlled manner - making Drupal a trusted choice for enterprises, governments, and other high-stakes environments. Yet, the shift to API-first and headless implementations brings new considerations for data privacy and security practices.
When JSON:API module is enabled with default configuration and no additional security hardening, it creates a standard, public-facing interface that exposes all registered users’ usernames on a Drupal site to visitors, there was no such interface before JSON:API module got merged to Drupal. This change raised privacy concerns and triggered an ongoing community discussion about username exposure by default. Publicly available usernames, while beneficial in some contexts (e.g. community sites or public leaderboards), can also pose security risks, including vulnerability to brute-force attacks, credential stuffing, and social engineering tactics. These threats, while always present, are increasingly sophisticated in the AI era, necessitating a more nuanced approach to username visibility.
Diverse security requirements in a complex landscape
Drupal serves a diverse user base with varying security needs - from public community platforms to developer portals like we build for a wide range of customers from various industries. Our customers are subject to the Payment Services Directive (PSD2), Digital Operational Resilience Act (DORA), Network and Information Security (NIS2) and the General Data Protection Regulation (GDPR) requirements, just to name a few. Given these requirements, the default exposure of usernames could contradict privacy policies, and many organizations prefer more granular control over what data is made publicly available.
Our contribution to username privacy in Drupal
Pronovix developed solutions to address these challenges on the developer portals we build and support for our clients, where they have been successfully in use for some time. Today, we are excited to open-source two of these components to provide developers, site builders, and individuals with fine-grained control over username visibility:
- View Usernames: This module introduces a configurable API for implementing custom rules, or "deciders," that manage username visibility. It also changes Drupal’s default policy, so only users with “administer users” or “view usernames” permissions can view other users' usernames.
- View Usernames Node Author: This module allows content authors’ usernames to be visible only to those with access to at least one of their authored nodes, balancing community visibility with security needs.
At Pronovix, we view these contributions as an initial step toward integrating a comprehensive solution for a more sophisticated and granular access control over usernames within Drupal core. We are committed to collaborating with the Drupal community to implement a stable approach that enhances username privacy while preserving Drupal’s flexibility. As AI and cybersecurity continue to evolve, we believe that adaptable data privacy measures will become an essential feature for secure, future-proof platforms like Drupal.
Stay tuned for a follow-up post where we’ll dive into the implementation details of these modules and how they can be customized to suit various site requirements.
Are you interested in our solution and want to discuss how we can help? Contact us, and we can talk about your specific case.
All Pronovix publications are the fruit of a team effort, enabled by the research and collective knowledge of the entire Pronovix team. Our ideas and experiences are greatly shaped by our clients and the communities we participate in.